MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9
SHA3-384 hash: 2d300d69c9e6cc56f387706622b7024545a5ce8c2ebe08c39032e14a1bd9fa60778d966328205ed683dee3b43f6cebc5
SHA1 hash: 12454015201a16c2795732814ee1e4a829295c41
MD5 hash: 33560e0b01fcf591a0dfc7a49ac0e2f5
humanhash: island-bravo-paris-west
File name:rNuevoorden_009.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:229'376 bytes
First seen:2024-07-11 10:17:06 UTC
Last seen:2024-07-11 10:57:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:jd0F4chZslcFBOWSSszb4PWaJwoHi/DyagoWuo0dIy6ZiOWHmHSy28hCZnOEq9C6:x0F4chZslcFBOWSSszb4PWaJwoHi/DyG
Threatray 51 similar samples on MalwareBazaar
TLSH T1B924028073E58AC3D539763DA257C3941271E52D7782FB2B8ACD726E8D133EB5C580A2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d2e8ecb2b2a2b282 (106 x AgentTesla, 106 x Formbook, 24 x RedLineStealer)
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
371
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9.exe
Verdict:
Malicious activity
Analysis date:
2024-07-11 10:19:13 UTC
Tags:
evasion stealer agenttesla ftp exfiltration
Link:
https://app.any.run/tasks/59f224a0-407c-4719-8c49-20fcf5cca05b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Malware.PDB-71.UNOFFICIAL
Create hunting rule

Porcupine.MSIL.Kryptik.AGOA.247493.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668fb15b6df1b20b8ec481f6win10vpnfull_triage
Tags:
Static Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto_obfuscator_for_net obfuscated packed packed
Link:
https://www.filescan.io/uploads/668fb15c7a9d16520070422c/reports/14ef2121-28e2-4cad-b629-04e84abc6f70/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f50354af-7860-4e9b-9eab-351536cb2641
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1471426
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-07-09 17:40:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5fyacmjxczktutyaus3xkzbue2i3yiasc3qnvkxygq5ygc5qxmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20a79a2b8181e2b4b746e864d4aa3bdd4a81c20ff66862942008423ea9341267
AgentTesla
619399cbd9239d9e913787c807c3e5c5000d1d33a2260961764ac0a1be860686
AgentTesla
d93dd7a2596af7479ef16d2b345948d6c117d64fbadafd982da2a7631a096eb7
AgentTesla
d994719966b8445e43a5ed911590248e5b8dce21d96487f87c4069805ed9f100
AgentTesla
e56047d7cac83d463327286f0c39cb6ca99c56e331f3b090357323fc94690a8c
AgentTesla
+ 41 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240711-mbyeqascmr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/57d8e182-0934-440b-95d8-fa739e280fa7
Unpacked files
SH256 hash:
ab9e0c66bfbcf263bb82b85f4b5f64a83c53ca354aed14c549714a4b5bda40bc
MD5 hash:
66ec22638c14b07929f333be26c3b8a9
SHA1 hash:
ff084962ff4698cdef918a6f2b87b848ce1f0f55
Link:
https://www.unpac.me/results/d7241449-6e07-4328-bd73-907fa0902cde/
SH256 hash:
2721334b6e632df9c325337f43656c1e2ed4afb5e0e1e1b74a55055346d3200e
MD5 hash:
7b42afaa8d13acf084d3784cbc0bd4c2
SHA1 hash:
dfe0a822cda6a2a90d503eaa53c057573ee7ab32
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/d7241449-6e07-4328-bd73-907fa0902cde/
Parent samples :
ee69b74d0f0dd59fcd87304863626efb727ad6255bc29a7d48b7a441390dff1a
3bc8d75fa8701770ed77fe6a4533e09eb3bab70f4605c6b34928f41a4a5d6487
c20765742b6d22e16299239e960d1c4e851fa9f12bd1b0696d4195f8890a6bf6
fc25ad86b8fbcf3ef16589806009d2025b9849a0af085e7848daa5543bdabab1
0e1c77e4b230515368f3da9e4c79de3b2d8d0a8d9597b03e05995a3cb41f5ef2
c12a4ab95d9caaf2f1a68db084dbfd38ebd65391041925d0417b08e50489f353
3daec2c8b6b1871c842499e95631be488a15404418ee31552bd84166bbe18167
9e19f6b4011cfb241e826abc5e52b9e2c5b99966a661ab548b90691b06cb3900
2721334b6e632df9c325337f43656c1e2ed4afb5e0e1e1b74a55055346d3200e
c3ee3362d47411cdd9030f241b4f00d189edc62258c7b1933855ecb08b5a4742
4eda01089b6fd41050aae217e8b03155ad2732bf3e6fb3f7d09d58c6851e75cd
d7f8f067c22777744b18acee1ac952e8bb2d8fb1227df0ddddecc90834aa927d
3c2e45ec9a4b0e3b05b964f8cc1b5a124101e223aaad08f060c90e9140a34377
7ae8ef9be5bb2e5187cdb274cfea0ef1a6ea2916c4e0834bd4174406d813165b
dceaf3150b973d48651d21d071d71871da278498c26a3d4af028d9628fbfc341
606208be5de0084765d4f19d34c2a9b1b9f537f12ce469c733aceeddd3c091e6
fbd4a102841baa25dceb0d59e62cbf970e56ce4e301c629916734a727fe20a58
ae9f157e9ac6956863d36c82f45f27fa14fa6f78ad98ba73218593b5d32f44c6
8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9
SH256 hash:
8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9
MD5 hash:
33560e0b01fcf591a0dfc7a49ac0e2f5
SHA1 hash:
12454015201a16c2795732814ee1e4a829295c41
Link:
https://www.unpac.me/results/d7241449-6e07-4328-bd73-907fa0902cde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AlphaCrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 8f4b800989b8b2a9d2780525bbab21a1348de10090b706d557c1a1dc185d85d9

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments